CCleaner, distributed by anti-virus firm Avast, contained malicious backdoor

Digitally-signed version of CCleaner 5.33 secretly stole information from users’ computers.

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

CCleaner, distributed by anti-virus firm Avast, contained malware

CCleaner is a popular Windows utility used by many millions of internet users to remove cookies, wiped browsing histories, and clean-up temporary internet files where malware might be lurking.

It’s the kind of tool that many tech-savvy Windows users rely upon to speed up and optimise their PCs.

It’s not the sort of program that they expect to introduce malware onto their systems. But unfortunately, that’s precisely what appears to have occurred.

Ccleaner

Because CCleaner has suffered a “security incident” which saw users updated with a legitimate digitally-signed version of the software which opened a malicious backdoor.

The scale of the potential threat cannot be underestimated. Last year, CCleaner was boasting that it had been downloaded in total over two billion times, and was seeing five million additional users per week.

Sign up to our free newsletter.
Security news, advice, and tips.

As a security notification on CCleaner’s support forum explains, CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 were compromised.

Ccleaner security notification

Once in place, the malware would wait five minutes, determine if the user had admin privileges, and then steal information from PCs, such as the computer’s name, a list of installed software and Windows updates, running processes, MAC addresses of network adapters alongside additional information.

The stolen data was then sent to a US-based server under the control of a hacker.

Researchers at Cisco Talos, who first identified the problem, discovered that the installer for CCleaner v5.33 – first delivered to users’ computers by the legitimate CCleaner download servers on August 15, 2017 – was the culprit.

What make things most concerning is that the malicious code was digitally signed using a valid digital certificate issued to the software’s developer Piriform, who were acquired by anti-virus firm Avast just two months ago.

Cetificate

Cisco Talos researchers warn that the fact the binary was digitally signed using the software developer’s valid certificate is of particular concern:

“…it is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization. It is also possible that an insider with access to either the development or build environments within the organization intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code.”

Cisco Talos researchers immediately informed Avast of the problem, and offending versions of the CCleaner installer containing the malicious payload are no longer available from the CCleaner download website. Law enforcement agencies have also been informed of the situation, and the third-party server that was set up to receive stolen data has been taken down.

It goes without saying that anyone still using version 5.33 of CCleaner needs to update to the (safe) version 5.34 as soon as possible. This message needs to especially get out to users of the free edition of CCleaner, as it does not feature automated updates and requires them to manually download updates. (Of course, the lack of automatic updates for the free edition of CCleaner may actually have reduced the total number of users put at risk by the compromised version.)

It’s worth pointing out that you may want to go one step further than just downloading a fixed version of CCleaner. After all, if you ran version 5.33 of CCleaner your PC may have been compromised. It might be sensible to roll-back your computer to a backup created before you installed that poisoned version of CCleaner.

And, if you’re in any doubt as to the scale of the potential threat, cast your mind back a few months when ransomware spread around the world after being seeded through a malicious automatic update to a popular Ukrainian accounting software, or when in late 2016 attackers hijacked Ask Toolbar updates to install suspicious code.

For more discussion of the CCleaner security incident, be sure to listen to this episode of the “Smashing Security” podcast:

Smashing Security #045: 'Deloitte fail, CCleaner, and dotards on Twitter'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

15 comments on “CCleaner, distributed by anti-virus firm Avast, contained malicious backdoor”

  1. Mathieu

    Typo : "Bad unfortunately, that's precisely what appears to have occurred."

    Yoy must have meant to say: "But unfortunately,"

    1. Graham CluleyGraham Cluley · in reply to Mathieu

      Thanks – I thought I had fixed that hours ago, but clearly I forgot to press the "Update" button in my CMS.

      You see, manual updating can lead to failure for us bloggers too… ;-)

      1. Vic Eizenga · in reply to Graham Cluley

        Avast did make Ccleaner

      2. Michael Ponzani · in reply to Graham Cluley
    2. JavaJoe · in reply to Mathieu

      A report on a significant security breach, and you're concerned about the grammar! Too funny.
      <wags head>

  2. zdest33

    3% of 2 billion downloads, is still a lot – but no where near 2 billion.

  3. mark

    The backdoor was only in the 32 bit version. If you have the 64 bit version you were not effected.

    1. Michael Ponzani · in reply to mark
  4. DeepSysAdmin

    Just delete your own history and run disk cleanup – all baked into your web browser (s) and windows.

  5. drsolly

    This is the standard nightmare of every antivirus company.

  6. David L

    The timing is suspicious, in that, it was done not long after Avast took over. One has to wonder whether a disgruntled, or perhaps fired, ex-employee was behind this. Especially in light of the digital signed cert. Surely law enforcement will be looking in that direction first.

  7. Joe

    They say the problem is fixed and it only affected the 32 bit version. I wonder if the hacker may already be working on hacking the 64 bit version next.

    Piriform was bought by anti-virus firm Avast just two months ago. Seems strange that this happened soon after this transaction. I kind of wonder about the credibility is Avast software after this. Maybe a disgruntled employee at Piriform did not like this sell out and sabotaged the CCleaner software.

  8. Michael Ponzani

    Thank God I didn't run mine. I have the free version and just updated it. They send out a stern warning. The paid version of Malware Bytes also blocks almost every page unless you allow the page to run. Since I only have a few days left on the trial, I'm not going to bother. An then there's Bitdefender at the end of the month. Their videos on the lack of privacy are really eyeopening.

  9. Dave

    "We fixed it. Trust us. No other versions were affected." Prior to this discovery, they would have assured us all that NO versions were affected by Malware. My first thought is that their entire Quality Control team should be relieved of their duties.

    How can we ever trust this company again?

  10. Tammi

    Oh crap, I'm still using v5.32.6129 and the 64bit version at that. I miss all the fun.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.